Right I just used the AD as an example they want to be able to disable the wireless during certian hours not Windows accounts. Thats what I'm looking for as a possibility

Right now they have no wireless system so Im looking for one to install. What they want is a private SSID signal that is online all the time and a public or guest one that just has internet access and can be set to only work for certian hours. So for your firtst suggestion time-based ACL is that something we'd need a specific router/access point system and or switch for?

I found this article, is this what you're referring to?

https://supportforums.cisco.com/discussion/11526451/schedule-ssid-availability

Ok, you're starting to make some sense.  

Q:  What they want is a private SSID signal that is online all the time

A:  For example, staff?  Yes.  This is possible.  

Q:  a public or guest one that just has internet access and can be set to only work for certian hours.

A:  Like students and guest/BYOD?  Yes, this is possible and you can combine this solution with the ones on top.  

What this really boils down is how "complex" do you want.  There are so many ways to accomplish this and the solution will boil down to how you complex and how much technical confidence the administrator is.  

Again, with AD you can put staff in an exclusive OU.  You disable time-based access here.  Student goes into another OU where what they can do to a computer, file shares, etc is stricly restricted and limited.  You can enable time-based access.  

Next, you can create a time-based ACL.  Where do you put this?  You can put this time-based ACL where the default gateway of the dynamic interface is.  Like I said above, you can combine like this:  

Let's presume that VLAN 111 is your staff-only VLAN, VLAN 222 is student VLAN.  So you apply the time-based ACL in your VLAN 222.   This is solution where you can have a time-based ACL on an SSID.  This will work whether you will deploy autonomous or controller-based wireless access point(s).

Now, a word of the wise:  I have seen some people who recommended that you enable time-based ACL on the switchports where the AP is connected to.  When you enable time-based ACL on a switchport NOTHING WORKS.  Staff will NOT be able to access the SSID, students will not be able to access the SSID.  You will NOT be able to access the SSID.  I personally wouldn't recommend this.  

Another solution I've read is to disable PoE power on the port of the switch where the AP is located.  Same as before.  NOTHING works and it's dumber than the other one.  

And finally, I've seen a solution where a time-based ACL is meant to DISABLE the APs radio.  Again, nothing is going to work and this is the DUMBEST solution I've been asked.  

Now here's a gotcha for you:  Time-based ACL is good.  There's one weakness to this solution and it's during holidays.  It's hard to put Time-based ACL and also hard to code a "holiday".  

Hope this helps and sorry for the long post.

Exactly, what they've told me they want to limit during the day on the public SSID isn't necessarily AD resources but Internet access itself so the AD groups won't necessarily help there. (students Ipads etc) So I should impliment the time based ACL on the default gateway of the dynamic interface. Like I mentioned they currently don't have anything and I'm researching a solution is there a certian model of firewall/ wreless system this solution would be possible on?